Open Atharex opened 8 months ago
Hi @Atharex thanks for the report! I've reproduced the issue and will move it to our backlog. Details below.
I think there are two things going on here:
syft -q schnatterer/micronaut-getting-started:latest | grep micro
micronaut-getting-started 0.1 java-archive
So Syft doesn't find an instance of a vulnerable jar in the image. Do you know for sure the image has a vulnerable jar in it?
However, to check whether Grype is working as expected here, I downloaded the jar directly
wget https://repo1.maven.org/maven2/io/micronaut/micronaut-http-server/3.8.2/micronaut-http-server-3.8.2.jar
syft -q -o json micronaut-http-server-3.8.2.jar| jq '.artifacts[] | { name: .name, purl: .purl }'
Which prints:
{
"name": "micronaut-http-server",
"purl": "pkg:maven/io.micronaut.http_server/micronaut-http-server@3.8.2"
}
I think the issue here is that we think the group id is io.micronaut.http_server
, but according to https://mvnrepository.com/artifact/io.micronaut/micronaut-http-server/3.8.2, it should be just io.micronaut
.
If I write out an SBOM, and edit it so that the PURL on this package has the correct group ID (pkg:maven/io.micronaut/micronaut-http-server@3.8.2
), then grype reports the CVE correct.
Dev notes: Syft reporting wrong group ID for JARs like this one: https://mvnrepository.com/artifact/io.micronaut/micronaut-http-server/3.8.2
What happened: Grype/Syft do not detect CVE-2024-23639 a vulnerability of the Micronaut framework for Java/Kotlin
What you expected to happen: The Micronaut component to be listed by Syft and recognized as vulnerable by Grype for CVE-2024-23639
How to reproduce it (as minimally and precisely as possible): You could probably test it on any old publicly accessible image with micronaut Example:
grype schnatterer/micronaut-getting-started:latest
Anything else we need to know?:
Environment:
Output of
grype version
: Application: grype Version: 0.74.6 BuildDate: 2024-02-14T22:19:32Z GitCommit: b9cf0e5cf89b47dc2d34315855d68542e817657c GitDescription: v0.74.6 Platform: darwin/arm64 GoVersion: go1.21.7 Compiler: gc Syft Version: v0.105.0 Supported DB Schema: 5OS (e.g:
cat /etc/os-release
or similar): MacOS